Capital One, AWS, and Security

Even as a proponent of the long-term impact that cloud services will have on the banking business, I was nothing less than astonished that Capital One has progressed from cloud newbie in 2014 to going “all in” on AWS in 2015.

It didn’t take long to see what Capital One was up to. By leveraging AWS for DevOps and (over time) production, Capital One is on track to reduce the number of data centers it owns and operates from 8 in 2014 to 5 by 2016, to only 3 by 2018. Capital One intends to redeploy the capital it will recoup from data center consolidation into its core businesses while increasing the scope and pace of innovation at the bank.

Capital One is betting that an AWS-based mobile banking platform will allow the bank to support the level of real-time scalability needed to cope with demand spikes such as occurs on Black Friday and Cyber Monday.

Here’s a stellar point (emphasis mine):

But what about security? Security is the most commonly cited reason why most banks are not embracing cloud services, so I was interested to hear Capital One’s take on security. According to Rob [Alexander, Capital One’s CIO], “Of course, security is critical for us. The financial services industry attracts some of the worst cybercriminals. So, we work closely with the Amazon team to develop a security model which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

More securely in the cloud? Either Capital One has gone rogue (very doubtful) or it knows something that most banks have yet to reconcile: when it comes to security, it’s much less about where your sensitive data sits and much more about how you secure your data from pranksters and thieves.